ActivTrak Alarms Guide

ActivTrak's Alarms feature helps organizations get alerted in real-time about risky events so they can take immediate action. There are three alarm types in ActivTrak:

  • User Activity Alarms: Triggered by specific user activity
  • USB Alarms: Detect USB and/or file-sharing activity
  • Security Audit Alarms: Triggered by changes made to your ActivTrak Account

Leverage out-of-the-box alarms for common scenarios or create your own based on any combination of conditions. Alarms are available in all paid plans.

Learn more about:

Privacy, security and access

ActivTrak is committed to safeguarding customer and user data through enhanced measures that ensure compliance with business policies, industry regulations, and applicable laws. ActivTrak’s privacy-first approach empowers organizations to leverage the transformative power of workforce analytics without compromising data privacy and trust with employees.

That's why we offer several privacy, security, and access controls with our Alarms feature.

Custom role-based access to Alarms, including each individual subpage, is available to all paid plan types. For example, an Admin can provide a manager with read-only access to the Alarm Log but block the manager from accessing the Alarm Configuration page. 

The user role types that can access Alarms are Admins, Configurators, and Power Users. Viewers are unable to access any Alarm pages.

To update access permissions for Alarms, navigate to Settings > Access > Role Access.

Click the down arrow in the Alarms row to expand all sub-page access options. Then, select or deselect access to each page by role type, as shown in the screenshots below.

alarmsrbac1.png

Updating Alarms access permissions (for accounts without Screen Details)

Alarmsrbac2.png

Updating Alarms access permissions (for accounts with Screen Details)

 

To learn more about customizing user roles in ActivTrak, click here.

Out-of-the-box alarms

ActivTrak's Alarms feature comes with a set of pre-configured alarms that you can leverage immediately out-of-the-box for common scenarios such as risky file sharing, access of inappropriate content, attempts to cheat the system or potential reporting issues. To get started, visit the Alarms Configuration page (Alarms > Configuration) and learn more about each alarm below.

OOTBALARMSMAY.png

Out-of-the-box alarms in the Alarm Configuration page

User Activity Alarms

  • Potential Mouse Jiggler or False Activity: The Potential Mouse Jiggler or False Activity alarm is turned off by default. Toggle it on to be alerted when a user may be using a mouse jiggler or other activity-mimicking tool. Learn more about detecting mouse jigglers and other activity-mimicking tools here.
  • Adult Content Accessed: The Adult Content Accessed alarm is turned off by default. Toggle it on to be alerted when a user accesses an adult content site, such as Pornhub.
  • AI Usage: The AI Usage alarm is turned off by default. Toggle it on to be alerted when a user accesses an AI tool, such as Chat GPT.
  • PII Accessed: The PII Accessed alarm is turned off by default. Toggle it on to be alerted when a user accesses sensitive, personally identifiable information (PII) such as social security numbers.
  • Potential Job Search: The Potential Job Search alarm is turned off by default. Toggle it on to be alerted when a user accesses a job search site, such as indeed.com.
  • File Sharing: The File Sharing Alarm is turned off by default. Toggle it on to be alerted when a user accesses a file-sharing site, such as Dropbox.
  • Social Media Break: The Social Media Break alarm is turned off by default. Toggle it on to be alerted when a user accesses a social media site, such as Facebook.
  • New Activity Screenshot: The New Activity Screenshot alarm is turned off by default. Toggle it on to trigger a screenshot when a user has been active in a new activity for 20 seconds. Note: This alarm is only available to customers with the Screen Details add-on enabled.
  • Blocked Website Accessed: The Blocked Website Accessed alarm is turned on by default. Users who visit websites in the blocked website list will automatically be redirected to websiteisblocked.com. This alarm is triggered when a user visits websiteisblocked.com  and the title bar contains 'website is not available' to keep a record of who is trying to access blocked websites.

USB Alarms

  • Data Saved to USB: The Data Saved to USB alarm is turned off by default. Toggle it on to be alerted when a user transfers data to a USB device.

Note: The ActivTrak Agent does not have access to anything written on a USB device. In the event the alarm is triggered, we suggest taking a look at the user's Activity Log to get a better idea of their activities around the time the alarm was triggered.

Security Audit Alarms

  • ActivTrak User Deleted: The ActivTrak User Deleted alarm is turned on by default. It is triggered when a user or computer is deleted from the account.
  • Alarm Deleted: The Alarm Deleted alarm is turned on by default. It is triggered when an Admin deletes an alarm in the account.
  • Agent Likely Uninstalled: The Agent Likely Uninstalled alarm is turned on by default. It is triggered when a user attempts to uninstall their ActivTrak Agent from their device.
  • Computer Not Reporting: The Computer Not Reporting alarm is turned off by default. Toggle it on to be alerted when there is a potential problem with a computer due to abnormal reporting behavior.

Updating out-of-the-box alarms

To review and update the settings for preconfigured alarms, click the blue "Edit" button to the right of the alarm.

1. Under "SELECTED GROUPS", you can specify which groups you would like the alarm to apply to. Note: The default is set to All Users and Computers

2. Under "CONDITIONS", you can see the preconfigured conditions that trigger the alarm. Each of these conditions can be edited or deleted. You can also add your own conditions by clicking "+Add Condition" at the end of the existing condition list.

Note: "MATCH ANY" is the default and recommended setting unless you require all conditions to be met for the alarm to trigger. In that case, make sure you select "MATCH ALL" above the conditions list. 

3. Select the actions you want to be performed when conditions are met in the "Actions" section.

  • To receive email notifications, add the recipient's email address(es), add a subject line, and your desired email body content in the respective sections.
  • To receive alerts via Slack, MS Teams, or another method via webhooks, toggle on "SEND EXTERNAL NOTIFICATIONS WHEN ALARM IS TRIGGERED", then select the destination from the drop-down menu. To learn more about using alarms with webhooks, click here.

4. When finished, click the green "Save" button to apply changes.

Creating new alarms

1. To start, click on "Create New Alarm" at the top left and then fill out the prompts in the box asking to name the new alarm as well as choose the type of alarm.

There are three types of Alarms:

Activity These alarms will be used to capture screenshots and react to employee behavior.
USB Available on the Advanced plan, these will trigger when a USB storage device is inserted or written to.
Security Audit Also available on the Advanced plan, these can be set to trigger when changes are made to the account. 

 

This guide focuses on Activity Alarms.

2. After naming the alarm and selecting "Activity" the screen will change and a prompt to enter in conditions will appear. 

3. Next, conditions will need to be added. Alarms function as an IF: THEN statement. If X happens, do Y. Conditions function as the IF part of this equation.

Depending on the goal of the alarm and which triggers will be used, we'll need to tell the alarm to trigger either when ANY of the conditions are met or only if ALL conditions are met.

There are three parts to a Condition:

Field: This section is where the alarm will look to match the conditions given.

Computer Meta Description of the website or application.
Description Meta Description of the website or application.

Duration (Sec)

How long the user is on that activity.
Executable The name of the application or process.
Private IP Address The network to which the computer is connected.
Logon Domain For large installations and Active Directory-connected computers, the primary domain is where the user logs in. For local users, this is usually the computer name. 
Primary Domain For large installations and Active Directory-connected computers, the primary domain is where the computer is connected.
Title bar Located at the top of a window, displays the name of the website or application being used.
URL The website address, for example, www.google.com.
User The name of the user inside ActivTrak.

Operators: This section tells the agent how to look for the keyword in the selected field.

Contains The keyword is present somewhere in the field.
Does Not Contain The keyword is NOT present somewhere in the field.
Ends with The keyword is the last part of the string in the field.
Equal to The keyword is exactly what is entered in the field. For example "Google.com" will exclude "www.Google.com".
Not Equal to The keyword does not appear in the way it was entered in the field.
Starts with The keyword appears at the beginning of the string.
Greater than For fields with numerical values. For example, if Duration (seconds) is greater than "10", would tell the Alarm to trigger if a user was active for 11 seconds or longer.
Value The keyword or number that the Alarm is looking for in order to trigger. This can be the website name, username, keyword in a title bar or description, or the time in seconds the user is active on a particular window.

 

4. Finally, the Alarm can be toggled to look for the Value to be case sensitive or not.

5. There is also the option to trigger only for specific users, or to tell the Alarm to trigger for everyone except a specific user (for example, someone in Human Resources)

Note: When using conditions that require a change from "Match Any" to "Match All" the following warning will appear:CCA__.png

6. Now that the Conditions are set, it's time to tell the agent what actions to take when the Alarm is triggered.

There are six main actions that can be set:

Screen Captures Screen Captures tell the agent to take a screenshot when the alarm is triggered. Advanced accounts have the option to take multiple screenshots at a user-defined interval, with the minimum being 10 seconds.
Pop-up Messages Pop-Up Messages are on-screen notifications administrators can have displayed on the end user's screen if the Alarm is triggered. The message can be custom-tailored to whatever the administrator would like and has the option for pre-filled text.
Email Notifications Email Notifications allow the administrator to be alerted whenever the Alarm triggers. The "To" field can be populated by anyone who is listed inside Account > Access.
Just like with Pop Up Messages, the Subject and Email Body field can be prefilled with the fields offered or the administrator can create a custom message.
Webhook Notifications Webhooks allow administrators to integrate ActivTrak alarms into other applications such as Slack or Zapier. Simply plug in the URL generated by the destination application and any additional parameters if needed. 
Terminate Activating the Terminate action on an Alarm tells the agent to close the application that triggered that alarm. Using the Facebook example from above, if a user were to open Facebook with this Alarm active, the browser would be closed immediately, including non-Facebook tabs the user may have been using.
Alarm Risk Level This allows administrators to assign a point value to certain alarms, making it easier to detect and quickly analyze certain behaviors. 

 

7. Be sure to click the green Save button either at the top or bottom of the page!

CCA1.gif

 

Alarms Based on System Events such as LOGON

Admins may want to set alarms based off of a system event. This requires both Titlebar and Executable conditions. Common scenarios may be to send a pop-up to remind users upon login that they are being tracked, or to email an Admin when a former employee accesses a device that hasn't been returned yet.

1. Go to Alarms > Configuration and then either add a new Activity alarm or edit an existing one.

2. For a pop-up, 'All Users and Computers' must be selected and the account must have the Screen Details Add-on. If a pop-up is not required and an email notification is needed instead for example, specific groups can be selected.

3. Conditions must be set to MATCH ALL​. Note: this also means that triggers based on LOGON and LOGOFF will require separate alarms.

4. Add both the Titlebar and Executable conditions as seen below. In our specific example, the Titlebar is equal to "LOGON" and the Executable is equal to "SYSTEM EVENT". Note: to trigger for only ONE user, you can add a third condition with Username | Equal To. Since MATCH ALL is on, multiple users cannot be listed as conditions. To trigger for multiple but not all users, set selected group(s) in step 2.

5. If applicable, toggle the pop-up on and type in the message that should be displayed at login. Or, toggle any other desired action(s) such as email notification for when the alarm is triggered.

6. Click the green Save button either at the top or bottom of the page, and then make sure the alarm is activated. Enabled alarms will all be toggled blue on the main Alarm Configuration page.

logonpopup.png

 

Setting up group-based alarms

Setting up a group-based alarm provides admins the opportunity to create alarms that apply only to specific groups. For example, if the marketing team needs access to Facebook, but the engineering team should never be on Facebook, an admin may want to create an alarm for anytime an engineering team member accesses Facebook.

How To:

1. In order to set up a new Group-Based alarm, navigate to Alarms > Configuration and select Create New Alarm.

2. Name the alarm and choose the Activity Alarm option

3. Once on the alarm configuration page select which group(s) you want to make the alarm effective for and finish the settings. 

4. This will assist you in determining which users you want to be alerted for without cluttering up the conditions section and making alarms easier to read and set.

Group based alarms.gif

Responding to alarms

In addition to configuring an alarm to trigger based on certain criteria, you can also take action and respond to alarms.

Enabling the pop-up feature in alarms provides a notification to the employee, so they can immediately self-correct and become aware that their activity may not be allowed.  

Creating a Pop-Up Alarm:

As an example, you may not want employees to access YouTube during work hours, but a Terminate alarm may not be ideal because it will close the browser including any tabs that are work-related.

This can be accomplished using the following conditions:

  • Match Any
  • Field: Titlebar 
  • Operator: Contains
  • Value: youtube
  • Case Sensitive: no

Using these conditions agent to trigger the alarm when it sees "youtube" inside the title bar. Depending on your goal, you may need to tweak this to be more specific, like if you wanted to allow certain videos on YouTube, but not others.

Screen_Recording_2021-01-25_at_11.49.16.89_PM.gif

Once the Pop-Up message action has been enabled, you will be prompted to enter in a message that will be seen by your end-user when the alarm is triggered.

There is an option to pre-fill some of this information by clicking on the tags above the text box. These will be contextual, changing based on who, or what triggers the alarm.

Using the example above, this is what an end-user would see based on these conditions:

PU_last.jpg

NOTE: If you are using a discreet deployment and your employees do not know they are being monitored, it is not advisable to use Pop Up messages in your alarms.

Terminating Applications with alarms

While ActivTrak’s Blocking feature can prevent users from accessing specific websites, Terminate Alarms will stop the usage of specific applications or close the browser if certain keywords or conditions are met. This can limit activities that are unproductive, inappropriate or likely to compromise company data.

Terminate alarms will work similarly to other custom alarms in that you will first need to select the conditions that will cause the Alarm to trigger. Once the desired conditions are created, simply turn on the terminate action and the Alarm will close any application that meets those conditions.

NOTE: If you are using a discreet/silent deployment method, terminating may not be the ideal action. There is no mention of ActivTrak or indication as to why the application was closed, but users will notice and may question whether something has been installed on their computer.

In the example below, the goal is to stop employees when they try to access Dropbox.com, where they could potentially upload and share sensitive company documents.

Example with Detailed Steps:

  1. Navigate to Alarms > Configuration using the left menu.
  2. Click the green "+ Create New Alarm" button in the top left corner.
  3. Name the alarm and choose what type of alarm it will be. For this example, we named it "Dropbox Alarm" and selected "Activity".
  4. The terminate toggle can only be used when "All Users and Computers" has been selected under the top "Group Alarm" section. To terminate only for a specific user/computer, add a condition (example included below).
  5. Fill out the condition(s) for which you want the application to be terminated. For example,
  • Field = Url
  • Operator = Contains
  • Value = Dropbox

terminating-1.png

6. Scroll down to the “Terminate” toggle and turn it on. (Terminate alarms also pair nicely with Email Notifications and/or External Notifications, so toggle any other desired actions during this step.)

terminating-2.png

7. Don't forget to check that the "Activate Activity Alarm" toggle in the upper right is green, and then click the green "Save" button next to it.

This example alarm will now shut the browser any time any of your monitored users access a url that contains "dropbox". Note: If the application triggering the alarm is a browser, the ENTIRE browser will close, not just the tab or window that met the condition(s).

Other examples:

Terminate both the web and desktop app versions of Zoom when accessed:

  • MATCH ANY
  • Condition 1: Field = Url | Operator = Contains | Value = zoom
  • Condition 2: Field = Executable | Operator = Equal To | Value = zoom.exe

Terminate the browser after a specific user has spent 5 minutes on Facebook:

  • MATCH ALL
  • Condition 1: Field = Url | Operator = Contains | Value = facebook
  • Condition 2: Field = Duration (seconds) | Operator = Greater Than | Value = 300
  • Condition 3: Field = User | Operator = Equal To | Value = username

Using webhooks with alarms

Webhooks are a way for an app to send automated information to other apps. For example, you could create an Alarm that, when triggered, would send information about the app to Slack and post a message.

To create an alert like this, first, navigate to Alarms and create a new alarm. For more information on creating alarms click here.

Next, enable Webhooks:

webhook.gif

Then, enter a URL to tell the agent where to send the information. This is usually provided by the app you are trying to insert the information into. (Note: If you are using Slack or MS Teams, detailed guides can be found in the "Learn More" section below.)

Once we have that URL, ActivTrak will by default send a webhook with the following information (depending on your alarm):

Date and Time The exact date and time the user first accessed a specific activity. 
Computer The name of the computer pulled directly from the machine itself.
Alias The user alias assigned through the ActivTrak dashboard.
Primary Domain The main domain name of the server.
Logon Domain If the user is Active Directory domain attached, the domain name. If the users are not attached to a domain, the computer name will be shown. Google Chrome agents will not show anything.
User Friendly user name; typically First and Last. Pulled from the operating system.
Titlebar What is read in the title bar of the user's activity.
Executable The executable of the user's activity.
Description A short description of the user's activity.
Website The name of the website the user accessed.
URL The exact URL the user accessed for an activity.
Session The session ID is used by Windows to tell the difference between user sessions. You mainly only see it on Terminal Servers where there are multiple users on one computer, and Session ID 0 is almost always reserved for the System.
Duration The amount of time a user spent active in an activity.
IP The internet protocol address within the local network.

 

NOTE: You can also add more information by adding to the "Parameters" field. 

See also:

The External Notification Log

When you send an External Notification with the Alarms Feature, the status of this gets logged in the External Notifications Log

mceclip0.png

The status of a webhook can do one of two things. 

1) Go from Pending to Delivered, indicating successful payload delivery

or

2) Go from Pending to Failed, indicated non-successful Payload Deliver.

The Webhook log will state what alarm triggered the webhook, at what time, and how many attempts were taken to deliver the webhook to the destination you set. 

If the webhook fails to be delivered, you will see the Eye icon next to failed go from Grey to Blue.

mceclip1.png

Clicking this will display the reason for the webhook failing. in our example below, the reason the webhook failed was due to missing information in the Payload.

mceclip2.png

On the far right of the grid, a copy of the payload that was sent is displayed and you can click on the Eye icon to view the entire payload in JSON format.

The Alarm Log

The Alarm Log is a report available to Admins, Configurators, and Power Users (Read-only) that documents every triggered alarm instance. To access the Alarm Log, Navigate to Alarms > Alarm Log.

The Alarm Log will look very similar to the Activity Log. It will display data like whether or not the action was considered Productive or Unproductive, the name of the Alarm, when it was triggered, which machine was used and by which user, along with the duration of the activity, and other fields.

Each instance of the alarm being triggered has its own entry. By clicking on the screenshot icon next to an instance the screenshot that was captured will be shown. 

The Alarm Log interface will also provide information about the type of alarm it is:

Screen_Shot_2019-07-22_at_2.04.02_PM.png Indicates if a screenshot was taken, and if it was, can be clicked to view the screenshot.
Screen_Shot_2019-07-22_at_2.04.37_PM.png Indicates if a pop-up message was displayed (if configured to do so).
Screen_Shot_2019-07-22_at_2.04.41_PM.png Indicates whether or not an email alert was configured and sent.
Screen_Shot_2019-07-22_at_2.04.44_PM.png Indicates whether or not a webhook was utilized.
Screen_Shot_2019-07-22_at_2.04.48_PM.png Indicates whether a terminate command was employed.
Screen_Shot_2019-07-22_at_2.04.52_PM.png Shows the Risk Level of the alarm. This article covers Risk Levels in greater detail. 

 

Just like with the Activity Log, we can sort this view by user, group, computer, and date as well as change the columns displayed by using the corresponding boxes in the top left.

It is also possible to export either as a CSV file or to an attached Google Drive account. 

Alarm_Log.gif

Alarms FAQ

 

 

Learn more:

Was this article helpful?

0 out of 3 found this helpful

Comments

No comments